Information Risk Management : Automated

Control and Continuous Monitoring

April , 2012

Copyright 2012 Infogix, Inc. - Confidential

Information Risk Context

Information Control Types

Information Control and Continuous Auditing Cases

Information Control Working Session

Next Steps

Agenda

2

Risk Context

3

Balancing Act Between Operations, Risk

and Control

Business Objectives

Business Environment

Process

Risk Management Control

Objectives

Control Techniques

Controls

Control Techniques

Tolerance

Risks

Information Flow

Risk Response

Operations

Performance Management

Risk

Operations, Risk and Control Monitoring

2008-02-19 5 © Copyright 2008 Infogix,

Inc. - Confidential

Risk Management Options

RISK

Reduce

Retain

Avoid

Transfer

Accept at present level

Reprice

Self insure

Offset

Control

Accept

Reject

5/1/2012 Confidential 6

COSO Enterprise Risk Management

Framework

Ref: COSO ERM, 2004 Ref: COSO Internal Control Framework, 1992

2008-02-19 7

COBIT – Framework

IT RESOURCES

• Data

• Application systems

• Technology

• Facilities

• People

PLAN AND ORGANIZE

ACQUIRE AND IMPLEMENT

DELIVER AND SUPPORT

• Effectiveness

• Efficiency

• Confidenciality

• Integrity

• Availability

• Compliance

• Reliability

Criteria

MONITOR AND EVALUATE

Source: ISACA, 2007

2008-02-19 8

Risk | Controls | KRI/KPI

Risk is defined as

the chance of

something

happening that will

have a negative

impact upon an

organization’s

objectives and

related assets

Information based

routines or

procedure which

senior management

uses to alter or

maintain patterns in

organizational

activities

A measurement, observed or calculated, indicates the presence or state of a condition or trend regarding certain risk

Risk KRI Control

Information Control Types

9

2008-02-19 10

Information Control Universe

Transaction

Control

Application

Control Management

and Administrative

Controls Corporate Policy and

Governance Controls

Inter-

Application

Control

Financial and

Accounting

Control

Ref: CICA

11

200

8-

02-

19 © Copyright 2008 Infogix,

Inc. - Confidential

Application Controls

General Controls Segregation of duties

Software approval

Software change approval and change controls

Data base administration

Access and machine controls

Information Controls Input controls

Processing controls

Output controls

Error correction controls

12

200

8-

02-

19

Inter Application Controls

1. Does a control verify that total number of records that passed out of application A actually made it into application B?

2. Does the total amount of record or transaction value sent from application A match the amount received by application B?

3. Is there a consistent and independent process by which each of the detailed line items between the two sources were reconciled?

A B

2008-02-19 13 © Copyright 2008 Infogix,

Inc. - Confidential

Inter Application Controls

4. Does the control system detect the presence of duplicate

transactions?

5. Does it detect the case where a file provided by

application A is never processed by application B?

6. Did all of the information that application A sent to

application B make it into application B within an

expected amount of time?

A B

2008-02-19 14

Transaction Controls

Integrity of Transactions

Path of Transactions

Timeliness of Transactions

Exception Management

15

200

8-

02-

19 © Copyright 2008 Infogix,

Inc. - Confidential

Finance and Accounting Controls

2008-02-19 16 © Copyright 2008 Infogix,

Inc. - Confidential

Hierarchy of Controls

Break complex checks into smaller, more manageable pieces Low-level Mid-level High-level

Transaction Account Portfolio/client

Consider the level when analyzing the best control for the situation High-level controls: affect the largest number of processes

Mid-level controls: required for more detail processing, after high-level controls are performed

Low-level controls: required for verifying lowest level of detail

Source: Infogix Conference, 2007

17

Deterministic Information Control Portfolio

18

Verification | Working Example

External

systemCommission

feed

Edits and

Audits

Agent

control file

Invalid

records

Valid

records

Sorting and Merging

process

Counter of

valid records

Month to

date file

Month to

date file

At the end of the month sent

to the commission

C1

C2

Database

19

Balancing | Working Example

External

system

Commissi

on feed

Edits and

Audits

Agent

control file

Invalid

records

Valid

records

Sorting and Merging

process

Counter of

valid records

Month to

date file

Month to

date file

At the end of the month sent

to the commission

C4

C3

Database

20

Reconciliation | Working Example

External

systemCommission

feed

Edits and

Audits

Agent

control file

Invalid

records

Valid

records

Sorting and Merging

process

Counter of

valid records

Month to

date file

Month to

date file

At the end of the month sent

to the commission

C5

Database

21

Tracking | Working Example

External

system

Commissi

on feed

Edits and

Audits

Agent

control file

Invalid

records

Valid

records

Sorting and Merging

process

Counter of

valid records

Month to

date file

Month to

date file

At the end of the month sent

to the commission

C6

Database

22

Statistical Information Control Portfolio

Temporal

• Shewhart's Control Chart

• Reasonability

• Range /Outliers

Spatial

• Gaps

• Benford’s Law

• Duplicate / Split

Ratio

• Benchmarking

• Min/Max ratio analysis

• Max/Max 2 ratio analysis

23

Application of Controls in Real world

July 8, 2010 24

Information Risk Scenarios in Business

24 © Copyright 2010 Infogix, Inc. - Confidential

Transaction Processing

Risk

External Information Exchange

Risk

Financial Reporting

Risk Fraud Risk

Data Integrity of

the risk reporting

warehouse

25

Transaction Processing Risk

Risks

Lost Message ~ Lost

Revenue, customer

complaints, rework

Delayed Message ~ SLA

Fines, rework

Controls

Real-time, end-to-end

balancing and reconciliation

Real-time message tracking

Example Processes

Orders, Settlement

ATM, Deposit

Inter system verification

Money Movement

September 24, 2010 26

External Information Exchange

File #1

Payment

Processor

Data

File #2

File # 495

File #494

Gateway

Risks

Incomplete Transaction

Dropped Transaction

SLA violation

Controls

Source system balancing

Dropped transaction

monitoring

Error profiling

September 24, 2010 27

Financial Reporting Risk | GL Reconciliation | An

Example in Use

Commercial

Loans

LOB Data

Warehouse

Company Data

Warehouse

Parent

Company

General Ledger

Regulatory

Reporting

GAAP

Reporting

Adjustments/Additions

- Non Systematic Accounts

- Tickets

Subsidiary

General Ledger

Performance

report

Aggregate Balance Check

Principal Balance Check

Record Count Check

Principal Balance Check

Duplicate Check,

Principal Balance Check

5/1/2012June 25, 2010 28 © Copyright 2010 Infogix, Inc. -

Confidential

Fraud Risk

Policy System

Detect Fraudulent Policy

Claims System

Detect Invalid Claims

Detect Fraudulent Claims

Commission System

Detect Fraudulent Commissions

Accounts Payable System Detect Duplicate Invoices

Detect unauthorized T&E expenses

September 24, 2010 29

Data Warehouse Information Risk

Statutory

Reporting Basel II

Reporting

Risk

Reporting

Service

Lines

ERM

Statutory

Reporting

Lines of

Business

ERM

Data

Warehouse

ETL

Subsidiaries

ETL

ETL

ETL

ETL

ETL

ETL

ETL

Risks

Lost data during ETL process

Limited traceability

Controls

Validate completeness of ETL

loads into ERM DW

Verify transformations during

ETL process

Assure correctness of ERM data

Verifiable audit trails of testing

and test cases

30

Information Risk Assessment and Auditing

31

Information Controls Assessment | Scenario

A leading financial services processing company receives approximately 10 million transactions (using flat files) from its various branches. The transactions are processed each night to update customer’s accounts and financial systems.

One key challenge is to validate the integrity of all incoming information. There are incidents when certain incoming information is not accounted for resulting in customer complaints. In addition, certain transactions are accounted for twice which results in financial loss and in certain cases, customer dissatisfaction.

A Information Controls Assessment was recommended to identify areas where Information Controls may be deployed to mitigate the above risks.

32 © Copyright 2008 Infogix,

Inc. - Confidential

Information Flow and Control Gaps

Files Delivered to

Processing ServerStaging Area

Staging Area II

Process 1 Process 2CRM system

Financial

System

How to ensure the Integrity of Transaction

Information within Incoming Files?

How to ensure that all expected files have arrived?

How to ensure that no duplicate file has arrived?

Stores the financial

information such as

revenue and expenses

etc.

How to ensure that

the financial

information is

recorded

appropriately How to ensure that all

incoming transactions

are recorded

appropriately

Mainframe Fixed

Files

E1

Update

customer

specific

information

How to ensure that all

incoming transactions are

recorded appropriately and

reconcile with the financial

system

How to ensure

that the

customer

information is

recorded

appropriately

33 © Copyright 2008 Infogix,

Inc. - Confidential

High Level Control Recommendation

Files Delivered to

Processing ServerStaging Area

Staging Area II

Process 1 Process 2CRM system

Financial

System

Check the integrity of incoming files. Validates that

the information in the detail records (e.g. number

of records, total amount ) matches with the trailer

data of the same file.

Detect duplicate files

Do an attendance check to ensure all expected files

have arrived

Stores the financial

information such as

revenue and expenses

etc.

Validate that

financial system

was updated

properly.

Current

balance=Previous

balance + changes

Reconcile the

number of records

and dollar value of the

transactions between

the staging area and

the CRM system

Mainframe Fixed

Files

E1

Update

customer

specific

information

Reconcile the number of

records and transformed

dollar value of the

transactions between the

CRM and the financial

systems

Validate that

CRM system

was updated

properly.

Current

balance=Previ

ous balance +

changes

34

Information Controls Assessment Exercise

raw data

(A1)

raw data

(A2)

raw data

(A3)

Data

Conversion

Exceptions

Formatted data

C1Billing

generation

Customer

profileFee table

Error record

Online bill

C3

Invoice

C2

Data

warehouse

Distribute Handout to Audience

35

Information Controls Assessment Solution

raw data

(A1)

raw data

(A2)

raw data

(A3)

Data

Conversion

Exceptions

Formatted data

C1Billing

generation

Customer

profileFee table

Error record

Online bill

C3

Invoice

C2

Data

warehouse

I1

I2

I3

I4

I5

I6

Distribute Solution Set to Audience

Information Risk is pervasive

Information Risk Exposure can be identified through

structured methodology

Information Risk can be managed through

Automated Controls

Information Controls needs to be audited

periodically since Information Risk profile changes

with time

36

Conclusion